2026年将是端侧智能体爆发之年。
1 分•作者: mycelial_ali•6 个月前
我一直在构建本地 AI 记忆层,每次试图让助手拥有状态时,都会遇到同样的问题。
代理在当下表现出色,然后它就忘记了。或者它记错了事情,并将其固化为永久的信念。一次性的评论变成了身份。一句随意的句子变成了持久的特质。这并不是模型质量问题,而是状态管理问题。
大多数人将记忆描述为“更多上下文”。更大的窗口、更多的检索、更多的提示填充。这对于聊天机器人来说没问题。但代理是不同的。代理会规划、执行、更新信念,并在第二天回来。一旦你跨越了这条线,记忆就不再是一个功能,而变成了基础设施。
我反复思考的心理模型是一个操作系统。
1. 存储什么
2. 压缩什么
3. 将什么从“可能”提升为“真实”
4. 衰减什么
5. 删除什么
6. 从一开始就不应该成为持久记忆的内容
如果你观察当今大多数记忆堆栈的运作方式,其流程基本相同。
捕获交互。总结或提取。嵌入。存储向量和元数据。检索。注入到提示中。写回新的记忆。
这个循环本身并没有错。更大的问题是循环在哪里运行。在许多实际部署中,最敏感的部分发生在用户环境之外。原始交互会很早就被发送出去,在你最小化或编辑任何内容之前,在你决定什么应该成为持久内容之前。
当记忆优先考虑云端时,安全模型会以一种非常特殊的方式变得混乱。记忆往往会在系统之间倍增。一次交互会变成原始片段、摘要、嵌入、元数据和检索跟踪。即使每个工件单独看起来无害,但组合系统也可以以令人不安的保真度重建一个人的历史。
然后是信任边界问题。如果检索到的记忆被视为可信的上下文,那么检索就成为了提示注入和中毒可能持续存在的地方。一个被写入记忆的错误指令不仅仅会影响一个响应。它可能会作为“真相”反复出现,除非你拥有类似于验证、隔离、删除和审计的治理措施。
集中式记忆也成为了一个高价值目标。它不仅仅是用户数据,而是组织好的意图和偏好,并为搜索建立索引。这正是攻击者想要的。
即使你忽略安全问题,云也会引入延迟耦合。如果你的代理不断地读写记忆,你就要为系统中最高频的操作支付网络费用。
这就是为什么我认为边缘不是一个限制。它才是关键。如果记忆是身份,那么身份就不应该默认为离开设备。
还有一个硬件角度也很重要,因为代理变得越来越持久。CXL 在这里很有趣,因为它支持内存池。每个机器不再是一个孤岛,内存可以被分解并分配为共享资源。这并不会神奇地创造无限的上下文,但它确实推动堆栈将代理状态视为一个真正的受管理底层,而不仅仅是令牌。
我对 2026 年的预测很简单。胜出的代理架构将把认知与维护分开。使用较小的本地模型来完成重复的记忆工作,如总结、提取、标记、冗余检查和提升决策。为需要大量推理的罕见时刻保留更大的模型。将持久状态保存在磁盘上,这样它就可以在重启后存活,可以被检查,并且可以真正被删除。
很好奇其他人看到了什么。对于构建代理的人来说,今天在本地运行记忆的最大障碍是什么:模型质量、工具、部署、评估,还是其他什么?
查看原文
I have been building a local AI memory layer for a while, and the same problem shows up every time you try to make an assistant feel stateful.<p>The agent is impressive in the moment, then it forgets. Or it remembers the wrong thing and hardens it into a permanent belief. A one off comment becomes identity. A stray sentence becomes a durable trait. That is not a model quality issue. It is a state management issue.<p>Most people talk about memory as “more context.” Bigger windows, more retrieval, more prompt stuffing. That is fine for chatbots. Agents are different. Agents plan, execute, update beliefs, and come back tomorrow. Once you cross that line, memory stops being a feature and becomes infrastructure.<p>The mental model I keep coming back to is an operating system.<p>1.What gets stored
2.What gets compressed
3.What gets promoted from “maybe” to “true”
4.What decays
5.What gets deleted
6.What should never become durable memory in the first place<p>If you look at what most memory stacks do today, the pipeline is basically the same everywhere.<p>Capture the interaction. Summarize or extract. Embed. Store vectors and metadata. Retrieve. Inject into the prompt. Write back new memories.<p>That loop is not inherently wrong. The bigger issue is where the loop runs. In a lot of real deployments, the most sensitive parts happen outside the user’s environment. Raw interactions get shipped out early, before you have minimized or redacted anything, and before you have decided what should become durable.<p>When memory goes cloud first, the security model gets messy in a very specific way. Memory tends to multiply across systems. One interaction becomes raw snippets, summaries, embeddings, metadata, and retrieval traces. Even if each artifact feels harmless alone, the combined system can reconstruct a person’s history with uncomfortable fidelity.<p>Then there is the trust boundary problem. If retrieved memories are treated as trusted context, retrieval becomes a place where prompt injection and poisoning can persist. A bad instruction that gets written into memory does not just affect one response. It can keep resurfacing later as “truth” unless you have governance that looks like validation, quarantine, deletion, and audit.<p>Centralized memory also becomes a high value target. It is not just user data, it is organized intent and preference, indexed for search. That is exactly what attackers want.<p>And even if you ignore security, cloud introduces latency coupling. If your agent reads and writes memory constantly, you are paying a network tax on the most frequent operations in the system.<p>This is why I think the edge is not a constraint. It is the point. If memory is identity, identity should not default to leaving the device.<p>There is also a hardware angle that matters as agents become more persistent. CXL is interesting here because it enables memory pooling. Instead of each machine being an island, memory can be disaggregated and allocated as a shared resource. That does not magically create infinite context, but it does push the stack toward treating agent state as a real managed substrate, not just tokens.<p>My bet for 2026 is simple. The winning agent architectures will separate cognition from maintenance. Use smaller local models for the repetitive memory work like summarization, extraction, tagging, redundancy checks, and promotion decisions. Reserve larger models for the rare moments that need heavy reasoning. Keep durable state on disk so it survives restarts, can be inspected, and can actually be deleted.<p>Curious what others are seeing. For people building agents, what is the biggest blocker to running memory locally today: model quality, tooling, deployment, evaluation, or something else?